📄 Description (English)
Uncontrolled search path elements in Anthropic Claude for Windows installer (Claude Setup.exe) versions prior to 1.1.3363 allow local privilege escalation via DLL search-order hijacking. The installer loads DLLs (e.g., profapi.dll) from its own directory after UAC elevation, enabling arbitrary code execution if a malicious DLL is planted alongside the installer.
🤖 AI Executive Summary
CVE-2026-22561 is a local privilege escalation vulnerability in Anthropic Claude for Windows installer versions before 1.1.3363, exploitable through DLL search-order hijacking. An attacker with local access can plant malicious DLLs in the installer directory to achieve arbitrary code execution with elevated privileges post-UAC elevation. While no public exploit exists and no patch is currently available, the vulnerability poses a significant risk to organizations where Claude is deployed on shared or insufficiently secured Windows systems.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 28, 2026 22:03
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations using Claude for Windows, particularly in government agencies (NCA, NCSC), banking sector (SAMA-regulated institutions), and energy companies (ARAMCO, downstream operators) face localized privilege escalation risks. The vulnerability is most critical in shared workstation environments common in Saudi corporate settings and government offices. Financial services and critical infrastructure sectors are at elevated risk due to the potential for lateral movement post-exploitation. Telecom operators (STC, Mobily) deploying Claude for AI-assisted operations may also be affected if installed on administrative or shared systems.
🏢 Affected Saudi Sectors
Banking and Financial Services
Government and Public Administration
Energy and Utilities
Telecommunications
Healthcare
Critical Infrastructure
Defense and Security
🎯 MITRE ATT&CK Techniques
T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1547.014 - Boot or Logon Autostart Execution: Active Setup
T1036.005 - Masquerading: Match Legitimate Name or Location
T1053.005 - Scheduled Task/Job: Scheduled Task
T1543.001 - Create or Modify System Process: Windows Service
⚖️ Saudi Risk Score (AI)
7.2
/ 10.0
🔧 Remediation Steps (English)
Immediate Actions:
1. Inventory all Claude installations across Windows systems, prioritizing shared workstations and administrative machines
2. Restrict physical and local access to machines running vulnerable Claude versions
3. Implement file integrity monitoring on directories containing Claude installers
4. Review local user account privileges and disable unnecessary local admin accounts
Patching Guidance:
1. Upgrade Claude to version 1.1.3363 or later when available
2. Until patching is possible, uninstall Claude from non-essential systems
3. If Claude must remain installed, apply compensating controls immediately
Compensating Controls (if patch unavailable):
1. Implement Application Whitelisting (AppLocker/Windows Defender Application Control) to restrict DLL loading from non-system directories
2. Enable Windows Defender Exploit Guard and configure Attack Surface Reduction rules
3. Restrict write permissions to Claude installation directories to SYSTEM and Administrators only
4. Disable UAC elevation for Claude installer or run installations in isolated environments
5. Monitor for suspicious DLL files in Claude installation directories
Detection Rules:
1. Monitor for DLL files created in Claude installation directory with suspicious names (profapi.dll, etc.)
2. Alert on Claude Setup.exe execution with UAC elevation followed by DLL loading from non-system paths
3. Track file modifications in %ProgramFiles%\Anthropic\Claude\ directory
4. Monitor process creation with parent process Claude Setup.exe
5. Implement YARA rule: detect unsigned DLLs in Claude installation paths
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. حصر جميع تثبيتات Claude على أنظمة Windows، مع إعطاء الأولوية للمحطات المشتركة والآلات الإدارية
2. تقييد الوصول المادي والمحلي للآلات التي تقوم بتشغيل إصدارات Claude الضعيفة
3. تنفيذ مراقبة سلامة الملفات على الدلائل التي تحتوي على مثبتات Claude
4. مراجعة امتيازات حسابات المستخدمين المحليين وتعطيل حسابات المسؤول المحلي غير الضرورية
إرشادات التصحيح:
1. ترقية Claude إلى الإصدار 1.1.3363 أو أحدث عند توفره
2. حتى يتم التصحيح، قم بإلغاء تثبيت Claude من الأنظمة غير الأساسية
3. إذا كان يجب أن يبقى Claude مثبتاً، طبق الضوابط البديلة على الفور
الضوابط البديلة (إذا لم يكن التصحيح متاحاً):
1. تنفيذ القائمة البيضاء للتطبيقات (AppLocker/Windows Defender Application Control) لتقييد تحميل DLL من الدلائل غير النظام
2. تفعيل Windows Defender Exploit Guard وتكوين قواعد تقليل سطح الهجوم
3. تقييد أذونات الكتابة إلى دلائل تثبيت Claude على SYSTEM والمسؤولين فقط
4. تعطيل ارتفاع UAC لمثبت Claude أو تشغيل التثبيتات في بيئات معزولة
5. مراقبة ملفات DLL المريبة في دلائل تثبيت Claude
قواعد الكشف:
1. مراقبة ملفات DLL التي تم إنشاؤها في دليل تثبيت Claude بأسماء مريبة (profapi.dll، إلخ)
2. تنبيه عند تنفيذ Claude Setup.exe برفع UAC متبوعاً بتحميل DLL من مسارات غير نظام
3. تتبع تعديلات الملفات في دليل %ProgramFiles%\Anthropic\Claude\
4. مراقبة إنشاء العملية مع عملية الوالد Claude Setup.exe
5. تنفيذ قاعدة YARA: كشف ملفات DLL غير الموقعة في مسارات تثبيت Claude
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.5.1.1 - Access Control Policies (local privilege escalation prevention)
ECC 2024 A.5.2.1 - User Registration and De-registration (privileged account management)
ECC 2024 A.5.3.1 - Access Rights Review (monitoring elevated privilege usage)
ECC 2024 A.8.1.1 - Asset Inventory (software asset management and tracking)
ECC 2024 A.8.3.1 - Asset Disposal (secure removal of vulnerable software)
🔵 SAMA CSF
SAMA CSF ID.AM-1 - Asset Management (inventory of Claude installations)
SAMA CSF PR.AC-1 - Access Control Policy (privilege escalation prevention)
SAMA CSF PR.AC-4 - Access Rights Management (monitoring and restricting elevated access)
SAMA CSF DE.CM-1 - Detection and Analysis (monitoring for exploitation attempts)
SAMA CSF RS.MI-1 - Incident Mitigation (containment of privilege escalation attacks)
🟡 ISO 27001:2022
ISO 27001:2022 A.5.2 - Information Security Policies (access control framework)
ISO 27001:2022 A.6.2 - Internal Organization (privilege management)
ISO 27001:2022 A.8.1 - Asset Management (software inventory and control)
ISO 27001:2022 A.8.2 - Configuration Management (secure configuration of applications)
ISO 27001:2022 A.8.3 - Information and Other Assets (protection of system integrity)
🟣 PCI DSS v4.0.1
PCI DSS 2.1 - Configuration Standards (secure configuration of software)
PCI DSS 6.2 - Security Patches (timely patching of vulnerabilities)
PCI DSS 7.1 - Access Control (limiting access to system components)
PCI DSS 10.2 - Logging and Monitoring (detection of unauthorized access attempts)
📦 Affected Products / CPE 1 entries
anthropic:claude